Installation

This page documents the installation of the AIStor Key Encryption Service for the purpose of supporting migration to AIStor Key Manager. You may require root or sudo permissions to perform some of the steps.

Linux

AMD64

curl --progress-bar --retry 10 -L https://dl.min.io/aistor/kes/release/linux-amd64/kes -o kes

chmod +x ./kes
mv ./kes /usr/local/bin/kes

kes --version

ARM64

curl --progress-bar --retry 10 -L https://dl.min.io/aistor/kes/release/linux-arm64/kes -o kes

chmod +x ./kes
mv ./kes /usr/local/bin/kes

kes --version

You must modify the KES startup parameters to include the --license <SUBNET-LICENSE> parameter before restarting KES.

MacOS

AIStor KES is only available for Apple M-series processor (ARM) machines:

curl --progress-bar --retry 10 -L https://dl.min.io/aistor/kes/release/darwin-arm64/kes -o kes

chmod +x ./kes
mv ./kes /usr/local/bin/kes

kes --version

Once installed, set the following environment variables to allow the kes process to communicate with the remote KES server:

export KES_SERVER=https://kes-1.example.net:7373
export KES_CLIENT_CERT=client.crt
export KES_CLIENT_KEY=client.key

The client.crt and client.key must correspond to a TLS certificate pair configured with access to the KES server and API operations. See the KES documentation on policies and identities for more information.

The kes process by default must validate the remote server certificate as part of establishing a connection. The process uses both the system trust store of Certificate Authorities and the content of the $HOME/.kes/certs/CAs directory. Ensure either the trust store or the CAs directory contain the necessary root and intermediate certificates for validating the remote KES host.